[GitHub] [camel-kafka-connector] arjun180 opened a new issue #1263: UseDefaultCredentials Provider doesn't recognize web identity token file

Mon, 04 Oct 2021 11:40:08 -0700 


arjun180 opened a new issue #1263:
URL: https://github.com/apache/camel-kafka-connector/issues/1263


   I have a AWS s3 source connector with the following configurations : 
   
   ```
   apiVersion: kafka.strimzi.io/v1beta2
   kind: KafkaConnector
   metadata:
     name: source-connector
     namespace : my-namespace
     labels:
       strimzi.io/cluster: my-connect-cluster
   spec:
     class: org.apache.camel.kafkaconnector.aws2s3.CamelAws2s3SourceConnector
     serviceAccountName: my-kafka-sa
     tasksMax: 1
     config:
       topics: my-source-topic
       camel.source.path.bucketNameOrArn: my-kafka-connect
       camel.component.aws2-s3.useDefaultCredentialsProvider: true
       camel.component.aws2-s3.moveAfterRead: false
       camel.source.endpoint.region: xxxxxx
       camel.component.aws2-s3.deleteAfterRead: true
   ```
   We are trying to get all the pods in our Kafka ecosystem to use a specific 
web identity token file based on a custom IAM role. The idea is to add IAM 
credentials to each of the CRDs deployed by the operator in EKS (in this case, 
it's Kafka connect). I do realize that the 
`camel.component.aws2-s3.useDefaultCredentialsProvider: true` has the connector 
use the default EKS node role, but we'd want it use the `serviceAccountName: 
my-kafka-sa`. We did configure the above but got the following error when 
trying to run a `kubectl describe kafkaconnector`
   
   ```
   Caused by: software.amazon.awssdk.core.exception.SdkClientException: Unable 
to load credentials from any of the providers in the chain 
AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(),
 EnvironmentVariableCredentialsProvider(), 
WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(), 
ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : 
[SystemPropertyCredentialsProvider(): Unable to load credentials from system 
settings. Access key must be specified either via environment variable 
(AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., 
EnvironmentVariableCredentialsProvider(): Unable to load credentials from 
system settings. Access key must be specified either via environment variable 
(AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., 
WebIdentityTokenCredentialsProvider(): To use web identity tokens, the 'sts' 
service module must be on the class path., ProfileCredentialsProvider(): 
Profile file containe
 d no credentials for profile 'default': ProfileFile(profiles=[]), 
ContainerCredentialsProvider(): Cannot fetch credentials from container - 
neither AWS_CONTAINER_CREDENTIALS_FULL_URI or 
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., 
InstanceProfileCredentialsProvider(): Unable to load credentials from service 
endpoint.]
     at 
software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:98)
     at 
software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:112)
     at 
software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
     at 
software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:104)
     at 
software.amazon.awssdk.awscore.client.handler.AwsClientHandlerUtils.createExecutionContext(AwsClientHandlerUtils.java:79)
     at 
software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.createExecutionContext(AwsSyncClientHandler.java:68)
     at 
software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:97)
     at 
software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:167)
     at 
software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:94)
     at 
software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
     at 
software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:55)
     at 
software.amazon.awssdk.services.s3.DefaultS3Client.headBucket(DefaultS3Client.java:4861)
     at 
org.apache.camel.component.aws2.s3.AWS2S3Endpoint.doStart(AWS2S3Endpoint.java:98)
     at org.apache.camel.support.service.BaseService.start(BaseService.java:115)
     at 
org.apache.camel.support.service.ServiceHelper.startService(ServiceHelper.java:113)
     at 
org.apache.camel.impl.engine.RouteService.doWarmUp(RouteService.java:186)
     at org.apache.camel.impl.engine.RouteService.warmUp(RouteService.java:121)
   
   ```
   
   We checked the Kafka connect resource : 
   
   ```
   WS_DEFAULT_REGION=<region>
   AWS_WEB_IDENTITY_TOKEN_FILE=/eks.amazonaws.com/serviceaccount/token
   AWS_REGION=<region>
   AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxxxx:role/my-kafka-sa
   ```
   
   How could we get the connectors to use the specified IAM credentials instead 
of the default EKS node role?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@camel.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to